Fedora has issued an advisory on May 13: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133535.html They fixed it by adding two patches in this commit: http://pkgs.fedoraproject.org/cgit/perl-LWP-Protocol-https.git/commit/?h=f20&id=3d177ad2c43908ce407a1bca5de3be0569ed7041 The commit for Fedora 19 has a third patch for "backward compatibility." More details on its purpose in RedHat Bugzilla: http://pkgs.fedoraproject.org/cgit/perl-LWP-Protocol-https.git/commit/?h=f19&id=c429e72946cb0f3f39dcefdd4a109b225c9a756a https://bugzilla.redhat.com/show_bug.cgi?id=1094440#c11 I'm not sure if our IO::Socket::SSL is old enough to need the third patch. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
The RedHat bug said that versions prior to 6.04 were not affected, but OpenSuSE released an update for 6.03 (which we have in Mageia 3) for OpenSuSE 12.3 for this, so it may be affected: http://lists.opensuse.org/opensuse-updates/2014-05/msg00072.html
cauldron updated. perl-LWP-Protocol-https-6.40.0-2.1.mga4 available in core/updates_testing we shouldn't need the IO::Socket::SSL patch, it's only needed for versions priori to 1.950, while we should have 1.955 in mga4. Proposed advisory (taken from redhat): ================ This release fixes a server certification validation when a certificate authority is defined by HTTPS_CA_DIR or HTTPS_CA_FILE environement variable. ================ please test & validate.
CC: (none) => jquelinAssignee: jquelin => qa-bugs
*** Bug 13340 has been marked as a duplicate of this bug. ***
Thanks Jerome. Do you have any idea about whether an update for Mageia 3 is necessary, given Comment 1? If so, the IO::Socket::SSL patch would be needed there.
Given that Debian, who found the bug + proposed the patch, only talks about 6.04 (and never ever mention 6.03), I'd say that we're good. (Note that I didn't look at the code itself, neither at the patch.)
(In reply to David Walser from comment #4) > Thanks Jerome. Do you have any idea about whether an update for Mageia 3 is > necessary, given Comment 1? If so, the IO::Socket::SSL patch would be > needed there. All the information I can find says only 6.04 and newer are affected. I downloaded the SRPM for the OpenSuSE 12.3 update and it looks like it's not actually a CVE fix, just updating that OpenSuSE release from 6.02 to 6.03.
Advisory: ======================== Updated perl-LWP-Protocol-https package fixes security vulnerability: It was reported that libwww-perl (LWP), when using IO::Socket::SSL (the default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were set, would disable server certificate verification, when the intent was to only disable hostname verification (CVE-2014-3230). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3230 https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133535.html ======================== Updated packages in core/updates_testing: ======================== perl-LWP-Protocol-https-6.40.0-2.1.mga4 from perl-LWP-Protocol-https-6.40.0-2.1.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Testing complete mga4 32 & 64 using the test case attached here: https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Before ------ $ perl testcase.pl ... runs it's tests and ends with message ... # Looks like you failed 1 test of 16. It actually failed on test 10.. not ok 10 - variable to wrong CA should fail: 200 Ok After ----- $ perl testcase.pl ... runs it's tests and ends without any failure message. Test 10 now shows.. ok 10 - variable to wrong CA should fail: 500 Can't connect to 127.0.0.1:36272 (certificate verify failed)
Whiteboard: (none) => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0257.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED